Features Introduced in GlobalProtect App 5.0

Learn about the exciting new features introduced in the GlobalProtect™ App 5.0 release.
The following table describes the new features introduced in GlobalProtect app 5.0. For additional information on how to use the new features in this release, refer to the GlobalProtect App 5.0 New Features Guide.
New GlobalProtect Feature
Description
iOS 13 Support
GlobalProtect app for iOS 5.0.8 and later versions supports iOS 13.
GlobalProtect Event Logs for Diagnosis
(
GlobalProtect app 5.0.6 and later releases
) To provide full visibility into connection workflows and make it easier to troubleshoot connectivity issues, the GlobalProtect app for Android, iOS, Windows, and macOS can now capture GlobalProtect events as they occur and bundle it with the other logs in the GlobalProtectLogs.zip file. When users call in with issues, you can use the detailed messages and errors in the new pan_gp_event.log file to trace what happened and identify the stage at which the connection problem occurred.
SSL Tunnel Enforcement
(
GlobalProtect app 5.0.6 and later releases with Content Release version 8207-5750 or later
) To mitigate the challenges of reliable connectivity in regions where IPSec is not permitted or to offer a fallback option to use SSL instead of IPSec, you can now specify whether to use SSL. For VPN access, you can opt to enforce SSL connections only, disallow SSL connections, or allow the user to choose SSL or IPSec (default) depending on the geo-location and network performance to provide the best user experience.
To configure SSL options, choose the
Connect Using SSL Only
options you want to allow in the
App
configuration of your GlobalProtect portal.
macOS 10.15 Support
GlobalProtect app for macOS 5.0.4 and later versions supports macOS 10.15.
Tunnel Preservation After Logoff
(
GlobalProtect app 5.0.4 and later releases with Content Release version 8181-5602 or later for Windows 10
) GlobalProtect can now preserve the GlobalProtect tunnel after the user logs off for an administrator-configurable time. Retaining the same tunnel when a user logs out and back in enables Windows to correctly apply Group Policy Object (GPO) updates. To configure this behavior, you provide a new
Preserve Tunnel on User Logoff Timeout
option in the
App
configuration of your GlobalProtect portal.
You can specify a range from 0 to 600 seconds. The default is 0 meaning GlobalProtect immediately disconnects the tunnel after the user logs out.
Automatic Launch for Captive Portal Page
(
GlobalProtect app 5.0.4 and later releases with Content Release version 8181-5602 or later for Windows and Mac
) To provide a seamless user experience while enforcing GlobalProtect, the GlobalProtect app can now automatically launch the default browser and navigate to a preconfigured website when a captive portal page from the Wi-Fi provider is detected. You configure the option to
Automatically Launch Webpage in Default Browser Upon Captive Portal Detection
in the
App
configuration of your GlobalProtect portal.
If you choose to disable this option, the end user must first open a browser before the captive portal page will display.
Landscape Mode Support on iPads
(
GlobalProtect app 5.0.3 and later releases
) GlobalProtect app 5.0 for iOS endpoints supports landscape mode on iPads.
User-Initiated Pre-Logon Connection
(
GlobalProtect app 5.0.3 and later releases
) You can now enable end users to initiate the GlobalProtect pre-logon connection manually on Windows 10 endpoints. When you enable this option, the pre-logon connection no longer initiates as soon as the endpoint boots up. Instead, users can initiate the pre-logon connection only when their endpoint requires access to the corporate network before login.
Support for Preferred Gateways
(
GlobalProtect app 5.0.3 and later releases for Android, Windows, and Mac; GlobalProtect app 5.0.7 and later releases for iOS
) For a more seamless user experience, end users can now assign and automatically connect to a preferred GlobalProtect gateway. By default, the GlobalProtect app automatically connects to the best available gateway based on the priority, source region, and response time of the configured gateways. With this enhancement, users that need to connect from a particular geographical location or access resources that are available only through a certain gateway can now automatically connect to a preferred gateway regardless of priority and response time
Support for 100 Manual Gateways
(
GlobalProtect app 5.0.3 and later releases for Android, Windows, Mac, and Linux; GlobalProtect app 5.0.7 and later releases for iOS
) To provide more gateway connection options to end users, the GlobalProtect app now supports up to 100 manual gateways.
Support for iOS 12
GlobalProtect app 5.0 for iOS endpoints supports iOS 12.
GlobalProtect App for iOS User Experience Enhancements
GlobalProtect app 5.0 for iOS endpoints introduces an enhanced user experience through a more modern and intuitive app interface, a streamlined connection process, and simplified workflows. The new app also features a native iOS app experience that enables GlobalProtect to access the endpoint's built-in capabilities (such as system notifications) and run more seamlessly on the endpoint.
In addition, GlobalProtect app 5.0 introduces authentication changes, changes to the mobile device management (MDM) configuration, and the capability for remote users to change their RADIUS or Active Directory (AD) password through the app.
GlobalProtect App for Android User Experience Enhancements
GlobalProtect app 5.0 for Android endpoints introduces an enhanced user experience through a modern and intuitive app interface and streamlined connection process. The new app also features a native Android app experience that enables the app to access the endpoint's built-in capabilities (such as system notifications) and run more seamlessly on the endpoint.
Gateway Location Visibility for End Users
To aid end users with troubleshooting, the GlobalProtect app now displays the administrator-defined location of the connected GlobalProtect gateway. When end users experience unusual behavior, such as poor network performance, they can provide this location to their support or Help Desk professionals. By identifying the location, end users can determine their proximity to the gateway and evaluate whether to switch to a closer gateway.
To configure a location label for a gateway, refer to the PAN-OS 9.0 Release Notes.
Always On Security for Chromebooks
Chromebooks now support Always On VPN through extended support for the GlobalProtect app for Android. With Always On VPN, GlobalProtect initiates a connection each time users log in to their Chromebooks. This enables you to maintain full visibility into your Chromebook users’ traffic and provide consistent policy enforcement.
Refer to Chrome OS Systems Supporting Android Apps for the list of Chromebook models that support Android apps.
FIPS-CC Mode for GlobalProtect on Windows and macOS
(Certification is pending)
In preparation for submitting the GlobalProtect 5.0 app for FIPS-CC certification, the GlobalProtect app for Windows and Mac endpoints has been updated to meet FIPS-CC requirements. With this feature, you can deploy the GlobalProtect app in FIPS-CC mode to enforce stronger security checks for your users, including the following:
  • Enhanced certificate validity checks
  • Stricter x509v3 certificate checks, such as OCSP/CRL checks and extended key usage checks
  • Algorithm health checks (such as FIPS self-tests and integrity checks) to verify the system integrity and ensure that GlobalProtect uses the correct cryptography for secure communication
  • Use of FIPS and CC compliant algorithms for enhanced security (for example, to ensure that GlobalProtect does not use weak algorithms or key sizes)
  • Updated logging that provides the results of these security checks
Federal Information Processing Standard (FIPS 140-2) and Common Criteria (CC) are security certifications that ensure a standard set of security assurances and functionalities. These certifications are often required by U.S. government agencies and other domestic and international regulated industries.
GlobalProtect App for iOS and Android MDM Integration for HIP-based Policy Enforcement
The GlobalProtect app for iOS and Android endpoints can now obtain the endpoint ownership category, endpoint compliance status, and other attributes from mobile device management (MDM) systems for use in HIP-based policy enforcement. For iOS endpoints, MDM systems send these attributes to the GlobalProtect app as part of the VPN profile. For Android endpoints, MDM systems send these attributes as part of the App Restrictions. After the GlobalProtect app receives these attributes, it sends this data to the GlobalProtect gateway in the HIP report to enable HIP-based security policies.

Recommended For You